To use lando/code-sign-action
with your KeyLocker-distributed cert, you'll want to save sensitive values as GitHub Secrets, which then can be provided as inputs to lando/code-sign-action
when you implement it in your GitHub Actions Workflow.
- Add KEYLOCKER_CLIENT_CERT
- Cert is generated by an authorized signer user in the DigiCert One interface: https://one.digicert.com/account/access/administrators
- Cert is only downloadable (and its password shown) once on creation.
- Certs can't be uploaded into Keychain on MacOS due to incompatibilities with openssl versions: https://discussions.apple.com/thread/254518218
- Use openssl to open the cert:
openssl x509 -in your_cert.p12 -text -noout
- Base64 encode the cert:
base64 -i your_cert.p12 -o encoded_cert.b64
- Save the base64 encoded cert as a GitHub Secret (KEYLOCKER_CLIENT_CERT)
- Add KEYLOCKER_CLIENT_CERT_PASSWORD
- Add the password you stored from Step 1 as a GitHub Secret (KEYLOCKER_CLIENT_CERT_PASSWORD)
- Add KEYLOCKER_API_KEY
- API key is generated under your signer user in https://one.digicert.com/account/access/administrators
- Add KEYLOCKER_CERT_SHA1_HASH
- This is the "fingerprint" value of the actual code signing cert found in your cert "order" in https://one.digicert.com/signingmanager/certificates-keylocker/
- Simply copy the
Fingerprint/thumbprint
value shown under "Certificate details" and save it as a GitHub Secret (KEYLOCKER_CERT_SHA1_HASH)
- Add KEYLOCKER_KEYPAIR_ALIAS
- This is the
Keypair alias
value found under the "Keypair details" section in your "order" in https://one.digicert.com/signingmanager/certificates-keylocker/ - Copy that value (should start with
key_
) and save it as a GitHub Secret (KEYLOCKER_KEYPAIR_ALIAS)
- Hardcode keylocker-host value
As of this writting, all Keylocker instances use the host value https://clientauth.one.digicert.com
. Provide that value directly to lando/code-sign-action
for the keylocker-host
input.
For further reference...
- DigiCert KeyLocker Setup Instructions
- KeyLocker Secrets Setup
- DigiCert SSM GitHub Action: this is what we use underneath the hood.
- Another 3rd Party KeyLocker Action: we
- GitHub Actions Docs
- GitHub Secrets Docs